|
One of the most important features of NSS is its flexible, yet powerful, security model. This security is integrated with eDirectory and offers comprehensive security management through command-line utilities, NetStorage, or the Novell Client. As mentioned earlier in this chapter, NSS operates in two modes, NetWare mode and Linux mode. NetWare mode requires that eDirectory user accounts be used to access NSS volumes. This allows for integration with eDirectory, and is the only way to provide for the advanced security capabilities described in this section. Linux mode refers to accessing NSS volumes using local user accounts. In this mode, you are limited to the traditional POSIX permissions seen with other Linux filesystems. Information about POSIX permissions can be found in Chapter 3, "Working with SUSE Linux Enterprise Server 9." With an NSS filesystem in NetWare mode, you can implement two types of security tools in the filesystem, either together or separately, to protect your files:
Filesystem Trustee RightsFilesystem trustee rights allow eDirectory users and groups to work with files and directories on NSS volumes in specific ways. Each right determines whether a user can do things such as see, read, change, rename, or delete the file or directory. NSS filesystem rights obey inheritance rules just like eDirectory rights. When rights are assigned to a file, they define a user's allowable actions for that file only. When rights are assigned to a directory, they affect a user's allowable actions on not only the directory itself but also everything stored within that directory. Although filesystem rights are similar in nature to the eDirectory rights for objects and properties (described in Chapter 8, "Users and Network Security"), they are not the same thing. Filesystem rights are separate from eDirectory rights. They affect only how users work with files and directories. eDirectory rights affect how users work with other eDirectory objects. There are eight filesystem trustee rights. You can assign any combination of those filesystem rights to a user or group, depending on how you want that user or group to work. Table 11.2 describes the available filesystem rights and how they affect directory and file access.
NOTE Trustee assignments are the only way to enforce access control on NSS volumes under Linux. Using the traditional Linux permission tools, such as chown or chgrp, will not affect access from eDirectory users. These tools should only be used when accessing Linux volumes in Linux mode. INHERITING FILESYSTEM RIGHTSJust like eDirectory rights, NSS filesystem rights can be inherited. This means that if you have filesystem rights to a parent directory, you can also inherit those rights and exercise them in any file and subdirectory within that directory. Inheritance keeps you from having to grant users filesystem rights at every level of the filesystem. You can block inheritance by removing the right from the IRF of a file or subdirectory. As with directory objects, every directory and file has an inherited rights filter, specifying which filesystem rights can be inherited from a parent directory. By default, file and directory IRFs allow all rights to be inherited. Inheritance can also be blocked by granting a new set of trustee rights to a subdirectory or file within the parent directory. As with the eDirectory rights, inherited and explicit filesystem rights are not cumulative. Explicit assignments replace the inherited rights from a parent directory. FILESYSTEM SECURITY EQUIVALENCESecurity equivalence for NSS filesystem rights works the same way as security equivalence for eDirectory rights (explained in Chapter 8). You can assign one user to have the same eDirectory rights and filesystem rights as another user by using the Security Equal To Me tab in an object's properties page. NOTE Remember: You are still subject to the shortcomings of security equivalence as described in Chapter 8. FILESYSTEM EFFECTIVE RIGHTSJust as with eDirectory rights, determining which NSS filesystem rights a user can actually exercise in a file or directory can be confusing at first. A user's effective filesystem rights are the filesystem rights that the user can ultimately execute in a given directory or file. The user's effective rights to a directory or file are determined in one of two ways:
WORKING WITH FILESYSTEM TRUSTEE RIGHTSiManager can't yet take you into the NSS or NCP filesystem. You can assign rights at the volume level, but not at the directory or file level. Use NetStorage, the Novell Client, or the command-line rights utility to work with filesystem rights. MANAGING RIGHTS WITH THE NOVELL CLIENTTo see or change a user's trustee assignments with the Novell Client, complete the following steps:
You can make a user a trustee of a FileSystem object using the NetWare Rights tab of the Novell Client by doing the following:
If the user is already a trustee, simply highlight the appropriate User object in the Trustees box and perform step 2. MANAGING TRUSTEES AT THE COMMAND LINETo see or change a user's trustee assignments at the command line, you cannot use the normal Linux chown utility. Although this utility can manipulate the POSIX ownership for an NSS volume in Linux mode, it is unable to view or modify the extended trustee assignments available with NSS in NetWare mode. To adjust the NSS trustee assignments, you must use the rights command-line utility. The rights utility can be used to view effective rights; view, modify and delete trustee assignments; and modify the inherited rights filter. To view trustee assignments using the rights utility, execute the following command: rights f <File_Or_Directory> show To view the effective rights of a particular eDirectory user, the following command may be used: rights f <File_Or_Directory> effective <Username> Finally, to add or delete trustee assignments, the following commands can be used: rights f <File_Or_Directory> trustee <Username> rights f <File_Or_Directory> delete <Username> For more information on the rights command, use rights -help. NetStorage can also be used to adjust file and directory trustee assignments. This option is available through the properties of files and directories while logged in to NetStorage. For more information on NetStorage, see Chapter 12. File and Directory AttributesAnother important NSS security tool for securing files and directories is attributes. Attributes are properties of NSS files and directories that control what can happen to those files or directories. Attributes, which are also called flags, are different from trustee rights in several ways:
Knowing these distinctions between NSS file attributes and trustee rights will help you better understand the behavior of the NSS filesystem. There are twelve NSS attributes that apply to either files or directories. However, there are only four core attributes that are configurable using traditional POSIX utilities from a Linux terminal. These attributes are listed in Table 11.3.
These four attributes can be used in combination with each other to produce several possible configurations of file attributes. Each combination of attributes can be assigned using the Linux utility chmod. This utility is used to assign file permissions on traditional Linux filesystems and file attributes on NSS. On traditional Linux filesystems, you must specify the permissions for the user owner, group owner, and all other Linux users when assigning permissions with chmod. On an NSS volume, the permissions are managed through trustee assignments and are not settable through chmod. Therefore, the file or directory ownership, visible when listing files from a terminal, has no real relevance to the permissions users have to the object. Because the ownership does not matter, it is also not necessary to specify the user, group, and other permissions when assigning file attributes on an NSS volume through chmod. Specifying the file attributes using the user owner field only is sufficient. In other words, on a traditional Linux filesystem, chmod 700 would give the user owner full permissions to the file and no permissions would be granted to the group owner or other category of users. That same command on an NSS volume would assign specific attributes on the file, for all trustees of the file. Displaying the file using the ls command would also display these attributes as though all categories of users were assigned the attributesnot just the user owner category. The end result of this is that the chmod 700 command produces the same attribute assignment as chmod 755, or chmod 722. Setting NSS file attributes using chmod relies on the same octal system when used on traditional filesystems. Possible combinations of attributes are listed in Table 11.4.
NOTE The chmod permissions of 200 and 300 are not designed to be used. They create a hidden file that can be written to with the proper trustee assignments, but they offer no benefit over the 000 setting. There are additional NSS attributes, which can be used for specific requirements. These attributes can be set or adjusted using NetStorage, or the NSS command line utility /sbin/attrib. Although you can set these additional attributes on files and directories, some attributes are only applicable to one or the other. A list of commonly used NSS attributes can be found in Table 11.5.
To assign advanced NSS attributes to a file or directory using NetStorage, complete the following steps:
It is also possible to use the terminal-based utility /sbin/attrib to set file and directory attributes. This utility can be used to set advanced attributes not listed off in Table 11.5. For information on using this utility, execute /sbin/attrib help, or see the online OES documentation. For additional information on NetStorage, see Chapter 12. |
|